

(19) World Intellectual Property Organization International Bureau



(43) International Publication Date  
28 July 2005 (28.07.2005)

PCT

(10) International Publication Number  
WO 2005/069089 A2

(51) International Patent Classification<sup>7</sup>:

G05B 9/03

(21) International Application Number:

PCT/IB2005/050701

(22) International Filing Date: 13 January 2005 (13.01.2005)

(25) Filing Language:

English

(26) Publication Language:

English

(30) Priority Data:

04300018.1 13 January 2004 (13.01.2004) FR

(71) Applicant (for all designated States except US): RE-NAULT S.A.S. [FR/FR]; 13, 15 quai Alphonse le Gallo, F-92100 Boulogne-Billancourt (FR).

(72) Inventor; and

(75) Inventor/Applicant (for US only): BOUTIN, Samuel [FR/FR]; 10 chemin de la chapelle, F-78114 MAGNY-LES-HAMEAUX (FR).

(74) Agent: DAVIES, Owen; Renault Technocentre, TCR GRA 1 55-SCE 0267, 1 avenue du Golf, F-78288 Guyancourt (FR).

(54) Title: DESIGN OF SAFETY CRITICAL SYSTEMS



WO 2005/069089 A2

(57) Abstract: A method is disclosed of producing a system architecture comprising a plurality of electrical devices connected to each other, said system preferably comprising a fault tolerant system, the method including: a) identifying a set of undesirable events and ascribing to each of said undesirable events an indicator of their severity; b) associating where possible each said undesirable event with one or more actuators of said system architecture; c) developing a functional specification of an initial architecture proposed for implementation of said system architecture, said functional specification of said initial architecture including dataflow for and between components thereof, said components comprising for example sensors or actuators; d) refining on said functional specification the fault tolerance requirements associated with the severity of each said undesirable event and issuing refined fault tolerance requirements of said functional specification; e) producing replicates in said functional specification together with attached indicators of independence of said replicates, said indicators reflecting said refined fault tolerance requirements; f) defining a hardware structure for said system architecture, e.g. a series of electronic control units connected to each other by networks; g) mapping of said functional specification onto said hardware structure; and h) verifying automatically that said indicators of independence are preserved during mapping.